A desktop computer connects directly to a DNS server through an encrypted channel

What Is DNS over TLS (DoT)?

By LibreGuard Team May 23, 2026 3 min read

The short answer

DNS over TLS (DoT) encrypts DNS queries and responses between a device and a DNS resolver using Transport Layer Security (TLS). A client opens a TLS-protected connection to the resolver, usually on port 853, and sends normal DNS messages inside it.

DoT protects that link from passive observers and helps the client authenticate the resolver it selected. It is not an anonymity service, and it does not prevent the resolver or the websites you connect to from learning information that is necessary for their roles.

The problem DoT addresses

DNS lets an application find a service from its name. With ordinary DNS, the names in those lookups can often be visible on the route to the resolver. This is separate from the website connection: HTTPS can encrypt the page traffic while the preliminary DNS lookup remains exposed.

DoT uses TLS to give DNS the same kind of transport protection familiar from secure web and mail connections. A person listening on local Wi-Fi, for example, should not be able to read the DNS messages exchanged with the DoT resolver.

How a DoT connection works

The client connects to a resolver that offers DoT and performs a TLS handshake. Certificate validation helps the client verify it reached the intended service. Once the protected connection is established, the client sends DNS queries and receives DNS responses over it.

The DNS message format remains DNS; TLS protects the channel carrying it. A resolver may support both conventional DNS and DoT, but a client must be configured or designed to choose the encrypted endpoint. The standard specifies port 853 as the default dedicated port for DNS over TLS.

Privacy limits and resolver trust

Encryption changes who can observe a query in transit, not who receives it. The DoT resolver still processes the queries, may operate logs according to its policy, and may need to perform recursive lookups on behalf of the client. Choosing a resolver is therefore a trust and privacy decision.

DoT also does not make an IP connection disappear. When an application contacts a website, the network still needs to carry packets to that destination. HTTPS, account security, browser protections, and careful service choices remain important.

DNSSEC is another separate technology. DNSSEC lets validating resolvers check signed DNS data; DoT encrypts transport to a resolver. They solve different problems and can be used together.

DoT and split DNS

Many workplaces use internal DNS names for services that are not reachable from the public internet. A device that sends every query to a public DoT resolver may fail to resolve those names or bypass local policy. Managed devices often need a configuration that sends internal queries to the correct internal resolver.

This is not a reason to avoid encryption. It is a reminder that DNS settings are part of a network design. Before switching system-wide DNS, consider whether your network uses internal services, parental controls, security filtering, or a resolver supplied by a VPN client.

DoT versus DoH

DNS over HTTPS (DoH) has a similar privacy goal but carries DNS inside HTTPS rather than a dedicated DNS-over-TLS service. DoH commonly uses the web's HTTPS port and HTTP behavior; DoT is easier to identify as DNS because it has a dedicated port and protocol.

For an individual device, either can be a reasonable encrypted-DNS choice when supported by a trustworthy resolver. The practical differences are compatibility, device configuration, network policy, and the resolver's service rather than a simple security ranking.

The takeaway

DoT encrypts the DNS connection from your device to its resolver and normally uses port 853. It improves confidentiality on that segment, but it does not remove trust in the resolver or replace other security and privacy protections.

Further reading